ClawHub

Sandwich

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as blockchain sandwich analysis, but the included script is actually a local note database that stores, deletes, and exports text.

Install only if you want a simple local data-entry CLI, not a blockchain sandwich-analysis tool. Do not enter secrets, wallet data, private research, or incident details; added content is stored unencrypted under ~/.sandwich by default, remove can delete entries without confirmation, and export writes plaintext files in the current directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest advertises blockchain sandwich-analysis functionality, while the command set implements a generic local data manager. In an agent ecosystem, this semantic mismatch can be exploited to smuggle file-manipulation capabilities into contexts that would otherwise permit only analytical/read-only tooling.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The title and description frame the skill as an analysis tool, but the command descriptions reveal entry management, export, and deletion features. This inconsistency increases the chance of unsafe invocation by users or orchestrators that rely on metadata to judge risk, especially when analysis skills are expected to be non-destructive.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script advertises sandwich/on-chain analysis, but the implemented behavior is a local note/config database with add, remove, export, and search capabilities. This mismatch is dangerous because users or orchestrators may grant or invoke the skill under false assumptions, enabling unintended local data collection and persistence outside the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The config command provides arbitrary key/value persistence unrelated to sandwich analysis, expanding the skill's capability surface beyond its stated purpose. In an agent context, unjustified configuration storage can be abused to hide state, retain sensitive values, or create covert persistence that reviewers and users would not expect from an analysis tool.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Add, remove, list, search, and export implement a generic local data-management utility rather than a sandwich-analysis tool. In a skill ecosystem, this capability mismatch is risky because it enables collection, retention, and exfiltration of arbitrary user-provided content under the cover of a benign-seeming analytical skill.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The help text explicitly claims analytical and on-chain functionality that the code does not provide, which misrepresents the skill's real behavior. Misleading operator-facing documentation increases the chance that the tool is trusted, installed, or granted permissions inappropriate for what is actually a local persistence utility.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation includes export and removal operations without warning that they modify or delete local data. Lack of disclosure and confirmation guidance can lead to accidental data loss or unintended propagation of stored content, particularly if an autonomous agent executes commands based only on brief command summaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal